b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n                                   Final Audit Report\n\n  Subject:\n\n\n\n\n               AUDIT OF INFORMATION SYSTEMS\n            GENERAL AND APPLICATION CONTROLS AT\n                       WELLPOINT INC.\n\n\n                                            Report No. 1A-10-00-13-012\n\n                                            Date:                September 10,2013\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n\n\n              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                           CONTRACT CS 1039\n                                                   WELLPOINT INC.\n                                                 PLAN CODES 10 / 11\n                                               ROANOKE, VIRGINIA\n\n\n\n                                          Report No. 1A-10-00-13-012\n                                                              September 10, 2013\n                                          Date:\n\n\n\n\n                                                                                             ________________________\n                                                                                             Michael R. Esser\n                                                                                             Assistant Inspector General\n                                                                                               for Audits\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n\n\n          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                       CONTRACT CS 1039\n                                     WELLPOINT INC.\n                                    PLAN CODES 10 / 11\n                                  ROANOKE, VIRGINIA\n\n\n\n                               Report No. 1A-10-00-13-012\n                                              September 10,2013\n                               Date:\n\n\nThis final report discusses the results of our audit of general and application controls over the\ninformation systems at WellPoint Inc. (WellPoint or Plan).\n\nOur audit focused on the claims processing applications used to adjudicate Federal Employees\nHealth Benefits Program (FEHBP) claims for WellPoint, as well as the various processes and\ninformation technology (IT) systems used to support these applications. We documented\ncontrols in place and opportunities for improvement in each of the areas below.\n\nSecurity Management\nWellPoint has established a series of IT policies and procedures to create an awareness of IT\nsecurity at the Plan. We also verified that WellPoint has adequate human resources policies\nrelated to the security aspects of hiring, training, transferring, and terminating employees.\n\nAccess Controls\nWellPoint has implemented numerous controls to grant and remove physical access to its data\ncenter, as well as logical controls to protect sensitive information. However, the physical access\ncontrols to one specific facility visited by auditors could be improved. We also noted\nweaknesses in WellPoint\xe2\x80\x99s implementation of segregation of duties and privileged user\nmonitoring.\n\n\n\n\n                                                  i\n\x0cNetwork Security\nWellPoint has implemented a thorough incident response and network security program.\nHowever, we noted several opportunities for improvement related to WellPoint\xe2\x80\x99s network\nsecurity controls. WellPoint has not implemented technical controls to prevent rogue devices\nfrom connecting to its network. Also, several specific servers containing Federal data are not\nsubject to routine vulnerability scanning, and we could not obtain evidence indicating that these\nservers have ever been subject to a vulnerability scan. In addition, WellPoint limited our ability\nto perform adequate testing in this area of the audit. As a result of this scope limitation and\nWellPoint\xe2\x80\x99s inability to provide additional supporting documentation, we are unable to\nindependently attest that WellPoint\xe2\x80\x99s computer servers maintain a secure configuration.\n\nConfiguration Management\nWellPoint has developed formal policies and procedures that provide guidance to ensure that\nsystem software is appropriately configured and updated, as well as for controlling system\nsoftware configuration changes. However, we noted that WellPoint\xe2\x80\x99s mainframe password\nsettings are not in compliance with its own corporate standards.\n\nContingency Planning\nWe reviewed WellPoint\xe2\x80\x99s business continuity plans and concluded that they contained the key\nelements suggested by relevant guidance and publications. We also determined that these\ndocuments are reviewed and updated on a periodic basis.\n\nClaims Adjudication\nWellPoint has implemented many controls in its claims adjudication process to ensure that\nFEHBP claims are processed accurately. However, we noted several weaknesses in WellPoint\xe2\x80\x99s\nclaims application controls. Additionally, there is no auditing to ensure the manual process for\ndebarring providers is done appropriately.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that WellPoint is not in compliance with\nthe HIPAA security, privacy, and national provider identifier regulations.\n\n\n\n\n                                                 ii\n\x0c                                                                Contents\n                                                                                                                                            Page\nExecutive Summary ......................................................................................................................... i\nI. Introduction ................................................................................................................................ 1\n    Background ................................................................................................................................ 1\n    Objectives ................................................................................................................................... 1\n    Scope .......................................................................................................................................... 1\n    Methodology .............................................................................................................................. 2\n    Compliance with Laws and Regulations .................................................................................... 3\nII. Audit Findings and Recommendations ...................................................................................... 4\n    A. Security Management ........................................................................................................... 4\n    B. Access Controls .................................................................................................................... 4\n    C. Network Security .................................................................................................................. 7\n    D. Configuration Management ................................................................................................ 11\n    E. Contingency Planning ......................................................................................................... 12\n    F. Claims Adjudication............................................................................................................ 12\n    G. Health Insurance Portability and Accountability Act ......................................................... 15\nIII. Major Contributors to This Report ......................................................................................... 17\n     Appendix: WellPoint\xe2\x80\x99s June 14, 2013 response to the draft audit report issued April 10, 2013.\n\x0c                                       I. Introduction\n\nThis final report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims by WellPoint Inc. (WellPoint or\nPlan).\n\nThe audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code\nof Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office\nof Personnel Management\xe2\x80\x99s (OPM) Office of the Inspector General (OIG), as established by the\nInspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nThis was our second audit of WellPoint\xe2\x80\x99s general and application controls. The first audit was\nconducted in 2006, and all recommendations from that audit were closed prior to the start of the\ncurrent audit. We also reviewed WellPoint\xe2\x80\x99s compliance with the Health Insurance Portability\nand Accountability Act (HIPAA).\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in WellPoint\xe2\x80\x99s IT environment.\nWe accomplished these objectives by reviewing the following areas:\n \xe2\x80\xa2   Security management;\n \xe2\x80\xa2   Access controls;\n \xe2\x80\xa2   Network security;\n \xe2\x80\xa2   Configuration management;\n \xe2\x80\xa2   Segregation of duties;\n \xe2\x80\xa2   Contingency planning;\n \xe2\x80\xa2   Application controls specific to WellPoint\xe2\x80\x99s claims processing systems; and\n \xe2\x80\xa2   HIPAA compliance.\n\nScope\nWe obtained an understanding of WellPoint\xe2\x80\x99s internal controls through interviews and\nobservations, as well as inspection of various documents, including information technology and\nother related organizational policies and procedures. This understanding of WellPoint\xe2\x80\x99s internal\ncontrols was used in planning the audit by determining the extent of compliance testing and other\n\n\n                                                  1\n\x0cauditing procedures necessary to verify that the internal controls were properly designed, placed\nin operation, and effective.\n\nThe scope of this audit centered on the information systems used by WellPoint to process\nmedical insurance claims for FEHBP members in the following states: Virginia, Connecticut,\nNew Hampshire, Maine, Ohio, Kentucky, Indiana, Missouri, Wisconsin, Nevada, Colorado, and\nCalifornia (institutional only). The business processes reviewed are primarily located in\nWellPoint\xe2\x80\x99s facilities in Virginia. We also toured WellPoint\xe2\x80\x99s primary data center located in\nMissouri.\n\nThe on-site portion of this audit was performed in January and February of 2013. We completed\nadditional audit work before and after the on-site visit at our office in Washington, D.C. The\nfindings, recommendations, and conclusions outlined in this report are based on the status of\ninformation system general and application controls in place at WellPoint as of March 2013.\n\nThis performance audit was conducted in accordance with generally accepted government\nauditing standards (GAS) issued by the Comptroller General of the United States, except for\nspecific applicable requirements that were not followed. There was one element of our audit in\nwhich WellPoint applied external interference with the application of audit procedures, resulting\nin our inability to fully comply with the GAS requirement of independence.\n\nWe routinely use our own automated tools to evaluate the configuration of a sample of computer\nservers. When we requested to conduct this test at WellPoint, we were informed that a corporate\npolicy prohibited external entities from connecting to the WellPoint network. In an effort to\nmeet our audit objective, we attempted to obtain additional information from WellPoint, but the\nPlan was unable to provide satisfactory evidence that it has ever had a program in place to\nroutinely monitor the configuration of its servers (see the \xe2\x80\x9cConfiguration Compliance Auditing\xe2\x80\x9d\nsection on page 9 for additional details.)\n\nAs a result of the scope limitation on our audit work and WellPoint\xe2\x80\x99s inability to provide\nadditional supporting documentation, we are unable to independently attest that WellPoint\xe2\x80\x99s\ncomputer servers maintain a secure configuration.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nWellPoint. Due to time constraints, we did not verify the reliability of the data used to complete\nsome of our audit steps but we determined that it was adequate to achieve our audit objectives.\nHowever, when our objective was to assess computer-generated data, we completed audit steps\nnecessary to obtain evidence that the data was valid and reliable.\n\nMethodology\nIn conducting this review we:\n\xe2\x80\xa2   Gathered documentation and conducted interviews;\n\xe2\x80\xa2   Reviewed WellPoint\xe2\x80\x99s business structure and environment;\n\xe2\x80\xa2   Performed a risk assessment of WellPoint\xe2\x80\x99s information systems environment and\n    applications, and prepared an audit program based on the assessment and the Government\n\n\n                                                2\n\x0c    Accountability Office\xe2\x80\x99s (GAO) Federal Information System Controls Audit Manual\n    (FISCAM); and\n\xe2\x80\xa2   Conducted various compliance tests to determine the extent to which established controls and\n    procedures are functioning as intended. As appropriate, we used judgmental sampling in\n    completing our compliance testing.\n\nVarious laws, regulations, and industry standards were used as a guide to evaluate WellPoint\xe2\x80\x99s\ncontrol structure. These criteria include, but are not limited to, the following publications:\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2   Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n    and Related Technology;\n\xe2\x80\xa2   GAO\xe2\x80\x99s FISCAM;\n\xe2\x80\xa2   National Institute of Standards and Technology\xe2\x80\x99s Special Publication (NIST SP) 800-12,\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n    Technology Systems;\n\xe2\x80\xa2   NIST SP 800-30 Revision 1, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;\n\xe2\x80\xa2   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems and Organizations;\n\xe2\x80\xa2   NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n    Security Rule; and\n\xe2\x80\xa2   HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether WellPoint\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nWellPoint was not in complete compliance with all standards as described in the \xe2\x80\x9cAudit Findings\nand Recommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                      II. Audit Findings and Recommendations\n\nA. Security Management\n  The security management component of this audit involved the examination of the policies and\n  procedures that are the foundation of WellPoint\xe2\x80\x99s overall IT security controls. We evaluated\n  WellPoint\xe2\x80\x99s ability to develop security policies, manage risk, assign security-related\n  responsibility, and monitor the effectiveness of various system-related controls.\n\n  WellPoint has implemented a series of formal policies and procedures that comprise its security\n  management program. WellPoint\xe2\x80\x99s Chief Information Security Officer owns the Information\n  Security Program and is responsible for developing, implementing, and enforcing the program\xe2\x80\x99s\n  standards. WellPoint has also developed a thorough risk management methodology, and has\n  procedures to document, track, and mitigate or accept identified risks. We also reviewed\n  WellPoint\xe2\x80\x99s human resources policies and procedures related to hiring, training, transferring, and\n  terminating employees.\n\n  Nothing came to our attention to indicate that WellPoint does not have an adequate security\n  management program.\n\nB. Access Controls\n  Access controls are the policies, procedures, and techniques used to prevent or detect\n  unauthorized physical or logical access to sensitive resources.\n\n  We examined the physical access controls of WellPoint\xe2\x80\x99s facilities in St. Louis, Missouri and\n  Roanoke, Virginia. We also examined the logical access controls protecting sensitive data on\n  WellPoint\xe2\x80\x99s network environment and claims processing related applications.\n\n  The access controls observed during this audit include, but are not limited to:\n  \xe2\x80\xa2   Procedures for appropriately granting physical access to facilities and data centers;\n  \xe2\x80\xa2   Procedures for revoking access to data centers for terminated employees;\n  \xe2\x80\xa2   Procedures for removing Windows/network access for terminated employees; and\n  \xe2\x80\xa2   Controls to monitor and filter email and Internet activity.\n\n  The following sections document several opportunities for improvement related to WellPoint\xe2\x80\x99s\n  physical and logical access controls.\n\n  1. Privileged User Monitoring\n      WellPoint has configured its servers to record the activity of privileged users (i.e., system\n      administrators). However, the event logs generated by these servers are only reviewed\n      retroactively if a problem has been reported or detected.\n\n      NIST SP 800-53 Revision 3 requires that an organization \xe2\x80\x9cReviews and analyzes information\n      system audit records . . . for indications of inappropriate or unusual activity, and reports\n      findings to designated organizational officials\xe2\x80\xa6.\xe2\x80\x9d\n\n                                                    4\n\x0c   Failure to routinely review elevated user activity increases the risk that malicious activity\n   could go undetected and sensitive information could be compromised.\n\n   Recommendation 1\n   We recommend that WellPoint implement a process to routinely review elevated user\n   (administrator) activity.\n\n   WellPoint Response:\n   \xe2\x80\x9cThe Plan stated that Management is in the process of implementing an automated\n   monitoring program for privileged user access. The workflow process includes:\n\n   \xe2\x80\xa2   Automated 24X7 protected logging of \xe2\x80\x98events of interest\xe2\x80\x99 for the WellPoint mainframe,\n       Unix and Intel environments;\n\n   \xe2\x80\xa2   Monitoring of WellPoint\xe2\x80\x99s environment to audit and validate events that are triggered\n       by HIPAA-compliant auditing and logging (monitoring) criteria;\n\n   \xe2\x80\xa2   Integrating and leveraging of IBM\xe2\x80\x99s Security Intelligence portfolio, QRadar, within\n       the e-SIEM workflow, and WellPoint\xe2\x80\x99s change management system; and\n\n   \xe2\x80\xa2   Implementation of the monitoring tools will be implemented by year-end 2013, with\n       auditing and validation processes fully implemented by September 30, 2014.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that WellPoint provide OPM\xe2\x80\x99s\n   Healthcare and Insurance office (HIO) with evidence that a process to routinely review\n   elevated user activity has been implemented.\n\n2. Segregation of Duties\n   WellPoint does not have a documented process to ensure proper segregation of duties in its\n   Streamline claims adjudication application.\n\n   WellPoint uses role-based access control to grant access to Streamline, and many employees\n   are granted multiple roles as they gain experience in their job function. However, there is no\n   documented policy or procedure to indicate which roles would create a conflict (i.e., too\n   much control over the claims adjudication process) if granted to the same individual.\n\n   FISCAM states that \xe2\x80\x9cWork responsibilities should be segregated so that one individual does\n   not control critical stages of a process.\xe2\x80\x9d FISCAM also states that \xe2\x80\x9cManagement should have\n   analyzed operations and identified incompatible duties that are then segregated through\n   policies and organizational divisions.\xe2\x80\x9d\n\n\n\n\n                                                 5\n\x0c   Failure to enforce adequate segregation of duties in the claims processing application\n   increases the risk that erroneous or fraudulent claims could be processed.\n\n   Recommendation 2\n   We recommend that WellPoint implement a process for ensuring Streamline application\n   access is granted with proper segregation of duties.\n\n   WellPoint Response:\n   \xe2\x80\x9cThe Plan stated that job titles are utilized for granting security for associates. The three\n   Attachments\xe2\x80\xa6 include the matrix and procedures for granting security access that\n   demonstrates the changes made to enhance this process.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by WellPoint in response to the draft audit report indicates that the\n   Plan has implemented a process to ensure access to Streamline is granted with proper\n   segregation of duties; no further action is required.\n\n3. Facility Physical Access Controls\n   The physical access controls at one of WellPoint\xe2\x80\x99s facilities in Virginia could be improved.\n\n   The facility uses an electronic card reader to control access to the building. However, we\n   observed numerous occasions when the door was propped open for deliveries and people\n   walked through the door without badging in or being checked by the security guard(s)\n   stationed nearby.\n\n   In addition, WellPoint does not have physical access controls in place to prevent employees\n   from piggybacking into secure areas (one person using an electronic access card to open a\n   door, then holding that door open while others enter). FISCAM states that \xe2\x80\x9cPhysical controls\n   at entrances and exits vary, but may include[:] manual door locks or cipher key locks,\n   magnetic door locks that require the use of electronic keycards, biometrics authentication,\n   security guards, photo IDs, entry logs, and electronic and visual surveillance systems.\xe2\x80\x9d\n\n   In addition, NIST SP 800-53 provides guidance for adequately controlling physical access to\n   information systems containing sensitive data (see control PE-3, Physical Access Control).\n\n   Failure to implement adequate physical access controls increases the risk that unauthorized\n   individuals can gain access to WellPoint facilities and the sensitive IT resources and\n   confidential data they contain.\n\n   Recommendation 3\n   We recommend that WellPoint reassess the physical access controls at its Roanoke, Virginia\n   facility, and implement controls that will ensure proper physical security. At a minimum,\n   WellPoint should add an alarm to the facility entrances that will detect a door left propped\n   open.\n\n\n                                                6\n\x0c     WellPoint Response:\n     \xe2\x80\x9cThe Plan stated that the facility currently has an access control system in place that alerts\n     security officers when a door is being held open. This system and functionality has been\n     in place for several years. The facility is undergoing a security upgrade and will have a\n     new system that will not only alert the onsite security officers of a door held open, but will\n     also notify corporate security officers at the security command center located in the\n     corporate headquarters building. This installation will be completed by June 30, 2013.\n     Upon completion of the system upgrade, the site will meet the risk and threat based\n     standards developed for all sites across the enterprise.\xe2\x80\x9d\n\n     OIG Reply:\n     As part of the audit resolution process, we recommend that WellPoint provide OPM\'s HIO\n     with evidence that the physical access security upgrades described in WellPoint\xe2\x80\x99s response to\n     the draft audit report have been implemented.\n\nC. Network Security\n  Network security includes the policies and controls used to prevent or monitor unauthorized\n  access, misuse, modification, or denial of a computer network and network-accessible resources.\n\n  WellPoint has implemented a thorough incident response and network security program.\n  However, we noted several opportunities for improvement related to WellPoint\xe2\x80\x99s network\n  security controls.\n\n  1. Preventing Rogue Devices\n     WellPoint has not implemented technical controls to prevent rogue devices (laptops,\n     workstations, or routers not issued by or approved by the company) from connecting to its\n     network.\n\n     NIST SP 800-53 Revision 3 states that information systems should uniquely identify and\n     authenticate devices before establishing a connection. Failure to implement technical\n     controls to detect rogue devices could allow anyone with physical access to WellPoint\n     facilities to connect an unauthorized device to WellPoint\xe2\x80\x99s network. This risk is magnified\n     by the relatively weak physical access controls observed at WellPoint\xe2\x80\x99s Roanoke, VA\n     facility.\n\n     Recommendation 4\n     We recommend that WellPoint implement technical controls to prevent rogue devices from\n     connecting to its network.\n\n     WellPoint Response:\n     \xe2\x80\x9cThe Plan stated that Management believes that the associated risk is adequately mitigated\n     based upon the following controls:\n\n     \xe2\x80\xa2   Authentication is required for all applications on our network.\n\n                                                 7\n\x0c   \xe2\x80\xa2   Direct wireless connectivity to the WellPoint network is prohibited.\n\n   \xe2\x80\xa2   Policies:\n          o Require training for all users, including annual employee certification.\n          o State who is/isn\'t authorized to physically be on WellPoint premises to help\n              protect both physical PHI (such as printed materials) and electronic PHI. Also,\n              devices that can/can\xe2\x80\x99t be connected to the WellPoint network are defined.\n          o State that a visitor must be escorted throughout the facility. Visitors coming to\n              our buildings are escorted while on the premises and WellPoint associates are\n              responsible for monitoring the activities of their visitors.\n\n   \xe2\x80\xa2   Controls are in place to enforce the physical security of our buildings, including\n       guards, badge readers, cameras, etc. to help prevent unauthorized individuals from\n       connecting rogue or unauthorized devices to the WellPoint network.\n\n   \xe2\x80\xa2   See physical access changes being implemented for the Roanoke, Virginia building\n       (Recommendation #3 response).\n\n   WellPoint\xe2\x80\x99s focus is on protecting the data. As outlined in the mitigating controls above,\n   along with our robust security event monitoring and network security program, we believe\n   that the risk has been adequately addressed. We continually monitor security exposures\n   and have built layers of defense to protect data, and will continue to implement programs\n   that have been proven effective.\xe2\x80\x9d\n\n   OIG Reply:\n   The controls described in WellPoint\xe2\x80\x99s response to the draft audit report could prevent\n   someone without authorized physical access to a WellPoint facility from connecting a device\n   to the network. However, none of the controls would prevent someone with authorized\n   access (e.g., employees, contractors, or guests) from connecting a personal device to the\n   WellPoint network. Therefore, we continue to recommend that WellPoint implement\n   technical controls to prevent rogue devices from connecting to its network.\n\n2. Full Scope Vulnerability Scanning\n   We conducted an extensive review of WellPoint\xe2\x80\x99s computer server vulnerability management\n   program to determine if adequate controls were in place to detect, track, and remediate\n   vulnerabilities. We determined that WellPoint has a mature vulnerability management\n   program and that the vast majority of devices are scanned on a routine basis. All detected\n   vulnerabilities are analyzed, prioritized, and tracked to remediation.\n\n   However, during our review we discovered that several specific servers containing Federal\n   data are not subject to routine vulnerability scanning, and we could not obtain evidence\n   indicating that these servers have ever been subject to a vulnerability scan. NIST SP 800-53\n   Revision 3 states that the organization should scan \xe2\x80\x9cfor vulnerabilities in the information\n   system and hosted applications\xe2\x80\xa6.\xe2\x80\x9d\n\n\n\n                                               8\n\x0c   Failure to perform full scope vulnerability scanning increases the risk that WellPoint\xe2\x80\x99s\n   systems are compromised and sensitive data stolen or destroyed.\n\n   Recommendation 5\n   We recommend that WellPoint ensure that vulnerability scanning is conducted on all servers,\n   specifically the servers housing Federal data that are not currently part of WellPoint\xe2\x80\x99s\n   vulnerability management program.\n\n   WellPoint Response:\n   \xe2\x80\x9cThe Plan stated that the only devices identified during the review that were not being\n   scanned were desktop devices that:\n\n   \xe2\x80\xa2   Do not contain FEP data, and are only used for additional computing power for tasks\n       that are generally performed on user desktops.\n\n   \xe2\x80\xa2   The Desktop Devices are being retired within the next 60 days. The Plan believes that it\n       has demonstrated that it scans all servers that contain FEP data. WellPoint\n       Information Security has processes in place to help ensure that newly provisioned\n       servers are scanned and certified prior to production use, and are added to the\n       scanning inventory that is used for conducting our periodic vulnerability scans. The\n       Plan will continue to work to help ensure that our scanning inventory is kept up-to date\n       and reflects the latest WellPoint server inventory.\xe2\x80\x9d\n\n   OIG Reply:\n   The fact that a specific server does not contain FEP data has no bearing on the importance of\n   keeping the device secure when it operates in the same environment as other devices that do\n   process FEP data. Any server not subject to routine scanning may contain a vulnerability\n   that an attacker could exploit to gain access to the WellPoint network. Once on the network,\n   it is much easier for the attacker to gain unauthorized access to FEP data. Therefore, we\n   continue to recommend that WellPoint conduct vulnerability scanning on all servers.\n\n3. Configuration Compliance Auditing\n   Configuration compliance auditing refers to the process of routinely comparing the actual\n   security configuration of computer servers to an approved baseline configuration. Our audit\n   objective with regards to configuration compliance auditing is to determine whether the\n   organization has a process in place to ensure that servers remain securely configured and up-\n   to-date with security patches.\n\n   In order to evaluate an FEHBP carrier\xe2\x80\x99s configuration compliance auditing program, we\n   typically use automated tools to document the actual configuration of a sample of servers.\n   We then manually compare the results to the company\xe2\x80\x99s approved baseline configuration.\n   When the actual settings generally match the approved baseline, we gain confidence that the\n   company\xe2\x80\x99s servers are securely configured.\n\n\n\n\n                                                9\n\x0cWhen we requested to conduct this test at WellPoint, we were informed that a corporate\npolicy prohibited external entities from connecting to the WellPoint network. In an effort to\nmeet our audit objective, we attempted to obtain additional information about WellPoint\xe2\x80\x99s\nconfiguration compliance auditing program. We were initially provided a description of\nwhat appeared to be a thorough configuration compliance auditing program at WellPoint.\nHowever, when we requested documentation to support this description, WellPoint was\nunable to provide any evidence that a configuration compliance auditing program had ever\nbeen in place at the company.\n\nFailure to implement a thorough configuration compliance auditing program increases the\nrisk that insecurely configured servers remain undetected, creating a potential gateway for\nmalicious virus and hacking activity that could lead to data breaches.\n\nAs a result of the scope limitation on our audit work and WellPoint\xe2\x80\x99s inability to provide\nadditional supporting documentation, we are unable to independently attest that WellPoint\xe2\x80\x99s\ncomputer servers maintain a secure configuration.\n\nRecommendation 6\nWe recommend that WellPoint implement a configuration compliance auditing program.\n\nWellPoint Response:\n\xe2\x80\x9cThe Plan stated that its\xe2\x80\x99 Vulnerability Management Program includes ongoing patching.\nSecurity patches for high severity vulnerabilities are applied within 90 days on DMZ\nservers and 180 days on internal servers. For the configuration management compliance\nprogram, WellPoint is finalizing its transition to the Tivoli Endpoint Manager (TEM) tool\nfrom the Blade Logic tool. The tool transition is scheduled to be complete by June 30,\n2013, with the configuration management compliance program targeted to be fully\noperational by October 31, 2013 for midrange and Intel servers.\n\nThe Plan\xe2\x80\x99s contract with its outsource IT partner requires ongoing compliance to\nWellPoint\xe2\x80\x99s technical configuration standards (TCS). Variances to a TCS parameter\nrequire a security exception to be formally approved. Governance over this outsourced\narrangement is provided through WellPoint\xe2\x80\x99s configuration management compliance\nprogram.\xe2\x80\x9d\n\nOIG Reply:\nDuring the fieldwork phase of the audit, WellPoint provided us with conflicting statements\nregarding its plans to transition to Tivoli Endpoint Manager (TEM). These conflicting\nstatements along with WellPoint\xe2\x80\x99s inability to provide evidence that it performs\nconfiguration compliance scans ultimately led to us documenting a formal scope limitation.\nAs part of the audit resolution process, we recommend that WellPoint provide OPM\xe2\x80\x99s HIO\nwith evidence that the TEM tool has been fully implemented, and that it is routinely\nperforming configuration compliance audits. OPM\xe2\x80\x99s HIO should carefully scrutinize any\nsupporting documentation submitted by WellPoint related to this issue before considering\nclosure of this recommendation.\n\n\n                                            10\n\x0cD. Configuration Management\n  We evaluated WellPoint\xe2\x80\x99s controls to securely configure its mainframe, databases, and servers\n  that support the applications used to process FEHBP claims. We determined that the following\n  controls are in place:\n  \xe2\x80\xa2   Controls for securely managing changes to the operating platform and claims processing\n      application;\n  \xe2\x80\xa2   Detailed operating system configuration standards; and\n  \xe2\x80\xa2   Thorough patch management procedures.\n\n  However, we discovered that WellPoint\xe2\x80\x99s mainframe password settings are not in compliance\n  with its own corporate standards.\n\n  WellPoint has created Technical Configuration Standards (TCS) that outline approved\n  configuration settings for server and mainframe security software. We reviewed the Technical\n  Configuration Standards to determine if they conformed to industry best practices. We also\n  compared the approved TCS settings to the actual settings of WellPoint\xe2\x80\x99s servers and\n  mainframes. We determined that the TCS were created in accordance with best practices.\n  However, we found several mainframe security settings that were not in compliance with the\n  TCS.\n\n  Failure to configure password security settings in compliance with approved settings increases\n  the risk that unauthorized users could gain access to sensitive resources.\n\n  Recommendation 7\n  We recommend that WellPoint modify its mainframe password settings to comply with its\n  corporate policy.\n\n  WellPoint Response:\n  \xe2\x80\x9cThe Plan stated that when Technical Configuration Standards (TCS) parameters are\n  updated, a transition timeline is defined to comply with new or modified parameters for each\n  LPAR. The audit team reviewed ACF TCS version 1.0 which reflected recent password setting\n  updates to comply with HITRUST requirements, which the audit team noted as compliance\n  gaps. Since the completion of the audit, the WellPoint security team has updated and\n  published ACF TCS version 2.0.\n\n  As of April 26, 2013, the password settings have been updated to comply with ACF TCS\n  version 2.0, which was published on April 23, 2013. Procedures for the review process were\n  documented\xe2\x80\xa6.\xe2\x80\x9d\n\n  OIG Reply:\n  The evidence provided by WellPoint in response to the draft audit report indicates that the Plan\n  has made system modifications to align the mainframe password settings with its corporate\n  policy; no further action is required.\n\n\n                                                 11\n\x0cE. Contingency Planning\n  We reviewed the following elements of WellPoint\xe2\x80\x99s contingency planning program to determine\n  whether controls were in place to prevent or minimize damage and interruptions to business\n  operations when disastrous events occur:\n  \xe2\x80\xa2   Business continuity plans for several business locations and data center operations;\n  \xe2\x80\xa2   Disaster recovery plan for the claims processing system;\n  \xe2\x80\xa2   Disaster recovery plan tests conducted in conjunction with the recovery site; and\n  \xe2\x80\xa2   Emergency response procedures and training.\n\n  We determined that WellPoint\xe2\x80\x99s contingency planning documentation contained the critical\n  elements suggested by NIST SP 800-34 Revision 1, \xe2\x80\x9cContingency Planning Guide for Federal\n  Information Systems.\xe2\x80\x9d WellPoint has identified and prioritized the systems and resources that\n  are critical to business operations, and has developed detailed procedures to recover those\n  systems and resources.\n\n  Nothing came to our attention to indicate that WellPoint has not implemented adequate controls\n  related to contingency planning.\n\nF. Claims Adjudication\n  The following sections detail our review of the applications and business processes supporting\n  WellPoint\xe2\x80\x99s claims adjudication process.\n\n  1. Application Configuration Management\n      We evaluated the policies and procedures governing application development and change\n      control of WellPoint\xe2\x80\x99s claims processing systems.\n\n      WellPoint has implemented policies and procedures related to application configuration\n      management, and has adopted a system development life cycle methodology that IT\n      personnel follow during routine software modifications. We observed the following controls\n      related to testing and approvals of software modifications:\n      \xe2\x80\xa2   WellPoint has adopted practices that allow modifications to be tracked throughout the\n          change process;\n      \xe2\x80\xa2   Code, unit, system, and quality testing are all conducted in accordance with industry\n          standards; and\n      \xe2\x80\xa2   WellPoint uses a business unit independent from the software developers to move the\n          code between development and production environments to ensure adequate segregation\n          of duties.\n\n      Nothing came to our attention to indicate that WellPoint has not implemented adequate\n      controls related to the application configuration management process.\n\n\n\n\n                                                  12\n\x0c2. Claims Processing System\n   We evaluated the input, processing, and output controls associated with WellPoint\xe2\x80\x99s claims\n   processing system. We have determined the following controls are in place over WellPoint\xe2\x80\x99s\n   claims adjudication system:\n   \xe2\x80\xa2   Routine audits are conducted on WellPoint\xe2\x80\x99s front-end scanning vendor for incoming\n       paper claims;\n   \xe2\x80\xa2   Claims are monitored as they are processed through the systems with real time tracking\n       of the system\xe2\x80\x99s performance; and\n   \xe2\x80\xa2   Claims output files are fully reconciled.\n\n   Nothing came to our attention to indicate that WellPoint has not implemented adequate\n   controls over the claims processing system.\n\n3. Debarment\n   WellPoint has adequate procedures for updating its claims system with debarred provider\n   information, but it does not routinely audit its debarment database for accuracy.\n\n   WellPoint receives the OPM OIG debarment list every month and compares the monthly\n   changes to its internal provider file. Any debarred providers that appear in WellPoint\xe2\x80\x99s\n   provider database are flagged to prevent claims submitted by that provider from being\n   processed by the claims processing system.\n\n   However, this process is done manually, and WellPoint does not have an auditing process in\n   place to ensure that all modifications are accurate and complete.\n\n   Failure to audit the accuracy of the debarment file increases the risk that claims are being\n   paid to providers that are debarred.\n\n   Recommendation 8\n   We recommend that WellPoint implement a process to routinely audit the provider file to\n   ensure that all debarment related modifications are complete and accurate.\n\n   WellPoint Response:\n   \xe2\x80\x9cThe Plan stated that based on the recommendation a new audit process was implemented\n   effective June 1, 2013 to review the Debarred Provider Listings to ensure all debarment\n   related modifications to the Provider Files are complete and accurate. Procedures for the\n   review process were documented\xe2\x80\xa6.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by WellPoint in response to the draft audit report indicates that the\n   Plan has created a procedure to audit modifications to the debarment file; no further action is\n   required.\n\n\n\n\n                                                13\n\x0c4. Application Controls Testing\n   We conducted a test on WellPoint \' s claims adjudication application to validate the system \'s\n   claims processing controls. The exercise involved processing test claims designed with\n   inherent flaws and evaluating the manner in which WellPoint\'s system adj udicated the\n   claims.\n\n   Our test results indicate that the system has controls an d edits in place to identify the \n\n   fo llowing scenarios: \n\n\n   \xe2\x80\xa2   Invalid members and providers;\n   \xe2\x80\xa2   Member eligibility;\n   \xe2\x80\xa2   Gender;\n   \xe2\x80\xa2   Timely filing; an d\n   \xe2\x80\xa2   Catas trophic maximum.\n\n   The sections below document opp01tunities for improvement related to WellPoint \'s claims\n   application controls.\n\n   a. Provider/Procedure Inconsistency\n       Two test claims were processed where a provider was paid for services outside the scope\n       of th eir license.\n\n\n\n\n       Recommendation 9\n       We recommend that WellPoint ensure the appropriate system modifications ar e made to\n       detect provider/procedure inconsistencies.\n\n       Wel/Point Response:\n       "The Plan stated that it made a request to p end claims with the sp ecific instance\n       identified in the audit and this change should be complete within 60 days. We have\n       also requested from the FEP Director\'s Office a listing ofproviders and the sp ecialties\n       that are considered outside oftheir license. A request to p end claims with sp ecific\n       criteria will be set up to stop each situation that is identified. The request for this wider\n\n\n                                                  14 \n\n\x0c          net will be dependent upon the identification ofproviders and specialties. Once\n          identified, the necessary changes will be added to the system within 60 days."\n\n          OIGReply:\n          As part of th e audit resolution process, we recommend that WellPoint provide OPM\'s\n          HIO with evidence that system modifications have been made to detect\n          provider/procedure inconsistencies.\n\n     b.\n\n\n\n\n          Due to the potential fraudulent nature of this scenario, we expected the system to suspend\n          th ese claims for fmther review; however no edit was generated by th e system . Failure to\n          detect                        increases the risk that fraudulent or en oneous claims are\n          paid.\n\n          Recommendation 10\n          We recommend that WellPoint ensure the appropriate system modifications ar e made to\n          prevent            claims from processing without proper verification .\n\n          WellPoint Response:\n          "The Plan stated that it has requested that washznf(lron\n          would capture only claims that\n          This would allow WellPoint Plans to catJtuJ\xe2\x80\xa2e\n\n\n\n\n          OIGReply: \n\n          As patt of the audit resolution process, we recommend that WellPoint provide OPM\'s \n\n          HIO with evidence that system modifications have been made to n\xe2\x80\xa2\xc2\xb7"\n\'"\'""\'~\n          claims from being processed. \n\n\nG. Health Insurance Portability and Accountability Act\n  We reviewed WellPoint \'s eff01ts to maintain compliance with the security and privacy standards\n  of HIPAA.\n\n  WellPoint has implemented a series of IT security policies and procedures to adequately address\n  th e requirements of the HIPAA security mle. WellPoint has also developed a series of privacy\n  policies and procedures that directly addresses all requirements of the HIP AA privacy mle.\n  WellPoint reviews its HIPAA privacy and security policies annually and updates when\n  necessaty. WellPoint\' s Privacy Office oversees all HIPAA activities, and helps develop,\n\n\n                                                  15 \n\n\x0cpublish, and maintain corporate policies. Each year, all employees must complete compliance\ntraining which encompasses HIPAA regulations as well as general compliance.\n\nNothing came to our attention to indicate that WellPoint is not in compliance with the various\nrequirements of HIPAA regulations.\n\n\n\n\n                                               16\n\x0c                    III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                  , Deputy Assistant Inspector General for Audits\n\xe2\x80\xa2                      , Senior Team Leader\n\xe2\x80\xa2                         , Auditor-In-Charge\n\xe2\x80\xa2               , Lead IT Auditor\n\xe2\x80\xa2                    , IT Auditor\n\xe2\x80\xa2                            , IT Auditor\n\n\n\n\n                                              17\n\x0c                                   Appendix\n\n\n\n\n                                                                  Federal Employee Program\n                                                                  1310 G Street, N.W.\nJune 14, 2013                                                     Washington, D.C. 20005\n                                                                  202.942.1000\n                                                                  Fax 202.942.1125\n\n\n\n               , Lead\nInformation Systems Audits Group\nInsurance Service Programs\nOffice of Personnel Management\n1900 E Street, N.W., Room 6400\nWashington, D.C. 20415\n\nReference:\t OPM DRAFT EDP AUDIT REPORT\n            WellPoint BlueCross BlueShield Plans\n            Audit Report Number 1A-10-00-13-012\n            Report Dated April 10, 2013 and Received April 10, 2013\n\nDear            :\n\nThis report is in response to the above-referenced U.S. Office of Personnel\nManagement (OPM) Draft Audit Report covering the Federal Employees Health\nBenefits Program (FEHBP) Audit of Information Systems General and Application\nControls for the Plan\xe2\x80\x99s interface with the FEP claims processing system, access, and\nsecurity controls. Our comments regarding the recommendations in this report are as\nfollows:\n\nA. Access Controls\n\n1. Privileged User Monitoring\n   Recommendation 1\n\n   The OIG Auditors recommend that WellPoint implement a process to routinely\n   review elevated user (administrator) activity.\n\n   Response to Recommendation 1\n\n   The Plan stated that Management is in the process of implementing an automated\n   monitoring program for privileged user access. The workflow process includes:\n\n   \xe2\x80\xa2\t Automated 24X7 protected logging of \xe2\x80\x98events of interest\xe2\x80\x99 for the WellPoint\n      mainframe, Unix and Intel environments;\n\x0c                , Lead\nJune 14, 2013\nPage 2\n\n\n   \xe2\x80\xa2\t Monitoring of WellPoint\xe2\x80\x99s environment to audit and validate events that are\n      triggered by HIPAA-compliant auditing and logging (monitoring) criteria;\n\n\n   \xe2\x80\xa2\t Integrating and leveraging of IBM\xe2\x80\x99s Security Intelligence portfolio, QRadar,\n      within the e-SIEM workflow, and WellPoint\xe2\x80\x99s change management system; and\n\n\n   \xe2\x80\xa2\t Implementation of the monitoring tools will be implemented by year-end 2013,\n      with auditing and validation processes fully implemented by\n      September 30, 2014.\n\n2. \t Segregation of Duties\n\n   Recommendation 2\n\n   The OIG Auditors recommend that WellPoint implement a process for ensuring\n   Streamline application access is granted with proper segregation of duties.\n\n\n   Response to Recommendation 2\n\n   The Plan stated that job titles are utilized for granting security for associates. The\n   three Attachments (Rec 2 Attachment A; Rec 2 Attachment B; and Rec 2\n   Streamline Security should this be Attachment C) include the matrix and\n   procedures for granting security access that demonstrates the changes made to\n   enhance this process.\n\n3. Facility Physical Access Controls- Greg Wurm/ Data Center\n   .\n   Recommendation 3\n\n   The OIG Auditors recommend that WellPoint reassess the physical access\n   controls at its Roanoke, Virginia facility, and implement controls that will ensure\n   proper physical security. At a minimum, WellPoint should add an alarm to the\n   facility entrances that will detect a door left propped open.\n   .\n   Response to Recommendation 3\n\n   The Plan stated that the facility currently has an access control system in place\n   that alerts security officers when a door is being held open. This system and\n   functionality has been in place for several years.\n\x0c                , Lead\nJune 14, 2013\nPage 3\n\n\n    The facility is undergoing a security upgrade and will have a new system that will\n    not only alert the onsite security officers of a door held open, but will also notify\n    corporate security officers at the security command center located in the corporate\n    headquarters building. This installation will be completed by June 30, 2013. Upon\n    completion of the system upgrade, the site will meet the risk and threat based\n    standards developed for all sites across the enterprise.\n     .\nB. \tNetwork\xc2\xa0Security\xc2\xa0\xc2\xa0\n\n\n1. Detection of Rogue Devices\n\n   Recommendation 4\n\n   The OIG Auditors recommend that WellPoint implement technical controls to\n   prevent rogue devices from connecting to its network.\n\n   Response to Recommendation 4\n\n   The Plan stated that Management believes that the associated risk is adequately\n   mitigated based upon the following controls:\n\n   \xef\x82\xb7\t Authentication is required for all applications on our network.\n\n   \xef\x82\xb7\t Direct wireless connectivity to the WellPoint network is prohibited.\n\n   \xef\x82\xb7\t Policies:\n\n          o\t Require training for all users, including annual employee certification.\n          o\t State who is/isn\'t authorized to physically be on WellPoint premises to\n             help protect both physical PHI (such as printed materials) and electronic\n             PHI. Also, devices that can/can\xe2\x80\x99t be connected to the WellPoint network\n             are defined.\n          o\t State that a visitor must be escorted throughout the facility. Visitors\n             coming to our buildings are escorted while on the premises and\n             WellPoint associates are responsible for monitoring the activities of their\n             visitors.\n\n   \xef\x82\xb7\t Controls are in place to enforce the physical security of our buildings, including\n      guards, badge readers, cameras, etc. to help prevent unauthorized individuals\n      from connecting rogue or unauthorized devices to the WellPoint network.\n\x0c                , Lead\nJune 14, 2013\nPage 4\n\n\n\n   \xef\x82\xb7\t See physical access changes being implemented for the Roanoke, Virginia\n      building (Recommendation #3 response).\n\n   WellPoint\xe2\x80\x99s focus is on protecting the data. As outlined in the mitigating controls\n   above, along with our robust security event monitoring and network security\n   program, we believe that the risk has been adequately addressed. We continually\n   monitor security exposures and have built layers of defense to protect data, and\n   will continue to implement programs that have been proven effective.\n\n2. Vulnerability Scanning\n\n   Recommendation 5\n\n   The OIG Auditors recommend that WellPoint ensure that vulnerability scanning is\n   conducted on all servers, specifically the servers housing Federal data that are not\n   currently part of WellPoint\xe2\x80\x99s vulnerability management program.\n   .\n   Response to Recommendation 5\n\n   The Plan stated that the only devices identified during the review that were not\n   being scanned were desktop devices that:\n\n   \xe2\x80\xa2\t Do not contain FEP data, and are only used for additional computing power for\n      tasks that are generally performed on user desktops.\n\n   \xe2\x80\xa2\t The Desktop Devices are being retired within the next 60 days. The Plan\n      believes that it has demonstrated that it scans all servers that contain FEP data.\n      WellPoint Information Security has processes in place to help ensure that newly\n      provisioned servers are scanned and certified prior to production use, and are added\n      to the scanning inventory that is used for conducting our periodic vulnerability scans.\n      The Plan will continue to work to help ensure that our scanning inventory is kept up-to-\n      date and reflects the latest WellPoint server inventory.\n\n3. \tConfiguration Compliance Auditing\n\n   Recommendation 6\n\n   The OIG Auditors recommend that WellPoint implement a configuration \n\n   compliance auditing program. \n\n\x0c                , Lead\nJune 14, 2013\nPage 5\n\n\n   Response to Recommendation 6\n\n   The Plan stated that its\xe2\x80\x99 Vulnerability Management Program includes ongoing\n   patching. Security patches for high severity vulnerabilities are applied within 90\n   days on DMZ servers and 180 days on internal servers. For the configuration\n   management compliance program, WellPoint is finalizing its transition to the Tivoli\n   Endpoint Manager (TEM) tool from the Blade Logic tool. The tool transition is\n   scheduled to be complete by June 30, 2013, with the configuration management\n   compliance program targeted to be fully operational by October 31, 2013 for\n   midrange and Intel servers.\n\n   The Plan\xe2\x80\x99s contract with its outsource IT partner requires ongoing compliance to\n   WellPoint\xe2\x80\x99s technical configuration standards (TCS). Variances to a TCS\n   parameter require a security exception to be formally approved. Governance over\n   this outsourced arrangement is provided through WellPoint\xe2\x80\x99s configuration\n   management compliance program.\n\nC. Configuration\xc2\xa0Management\n\n\n   Recommendation 7\n\n   The OIG Auditors recommend that WellPoint modify its mainframe password\n   settings to comply with its corporate policy.\n\n   Response to Recommendation 7\n\n   The Plan stated that when Technical Configuration Standards (TCS) parameters\n   are updated, a transition timeline is defined to comply with new or modified\n   parameters for each LPAR. The audit team reviewed ACF TCS version 1.0 which\n   reflected recent password setting updates to comply with HITRUST requirements,\n   which the audit team noted as compliance gaps. Since the completion of the audit,\n   the WellPoint security team has updated and published ACF TCS version 2.0.\n\n   As of April 26, 2013, the password settings have been updated to comply with ACF\n   TCS version 2.0, which was published on April 23, 2013. Procedures for the\n   review process were documented. See attachments Rec 7 IS-TCS-009 ACF2v2.0\n   and Rec 7 VA ACF2 Mainframe Co provide details of the changes made.\n\x0c                , Lead\nJune 14, 2013\nPage 6\n\n\nClaims Adjudication\n\n1. Debarment\n\n   Recommendation 8\n\n   The OIG Auditors recommend that WellPoint implement a process to routinely\n   audit the provider file to ensure that all debarment related modifications are\n   complete and accurate.\n\n   Response to Recommendation 8\n   The Plan stated that based on the recommendation a new audit process was\n   implemented effective June 1, 2013 to review the Debarred Provider Listings to\n   ensure all debarment related modifications to the Provider Files are complete and\n   accurate. Procedures for the review process were documented. See embedded\n   attachment entitled Rec 8 Debarred Provider Audit.\n\n2. Provider/Procedure Inconsistency\n\n   Recommendation 9\n\n   The OIG Auditors recommend that WellPoint ensure the appropriate system \n\n   modifications are made to detect provider/procedure inconsistencies \n\n\n\n   Response to Recommendation 9\n\n   The Plan stated that it made a request to pend claims with the specific instance\n   identified in the audit and this change should be complete within 60 days. We have\n   also requested from the FEP Director\xe2\x80\x99s Office a listing of providers and the\n   specialties that are considered \xe2\x80\x99outside of their license. ) A request to pend claims\n   with specific criteria) will be set up to stop each situation that is identified. The\n   request for this wider net will be dependent upon the identification of providers and\n   specialties. Once identified, the necessary changes will be added to the system\n   within 60 days.\n\x0c                       Lead\n\n\n\n\n3.\n\n     Recommendation 10\n\n     The OIG A uditors recommend that Well Point ensure that the appropriate system\n     mod ifications are made to prevent             claims from processing w ithout\n     proper verification.\n\n     Response to Recommendation 10\n\n     The Plan stated that it has requested that Washin\n     w ould capture on ly claims that are\n     This w ould allow Well Point Plans to\n     automation would then be created to\n      rov ide a denial reason simi lar to "\n\n\n\n     We appreciate the opportu nity to provide our response to th is Draft Aud it Report and\n     req uest that our comme nts be incl uded in their entirety as an amendment to the Final\n     Aud it Report.\n\n     Sincerely,\n\n\n\n\n     -                 . CPA\n     ~ager, Govern ment Audit Resolution and Coord ination\n     Program Assurance\n\n\n     -\n     Attachments (6)\n     cc:                      WeiiPoint BCBS\n                                      , WeiiPoint BCBS\n                                       s\n\x0c'